• Mobile Fraud and Malware
  • 3 Min Read
  • April 21, 2021

How the ad fraudsters hid 2019 biggest mobile phone attacks

By Upstream

Globally, there are some 2.5 billion Android phones. They represent an opportunity for criminals and a clear and present danger to operators, advertisers, and consumers.

Android phones are vulnerable to invisible attacks from fraudsters that are totally screened from view. These attacks are happening in the background of a host of popular apps that hundreds of millions of people have already downloaded.

In the background, these rogue apps are constantly making fake clicks on adverts, or secretly signing their users up to subscription services. The advertisers are paying the App providers for these fake clicks, consumers are being falsely registered for premium services and their data bundle used by activity they have no control over or are even aware it is taking place.

For 30 operators, our platform monitors transactions for anomalies or suspicious transactions.  In 2019, we processed more than 1.71 billion mobile app transactions on those networks and blocked 1.6 billion – more than 90 per cent – that were identified as fake or fraudulent.  We also found 43 million Android handsets affected with malware.

Based on our data, here are the apps that 2019’s biggest attacks hid behind:


Some 128 million suspicious or fraudulent transactions were generated in 15 different countries by this app in 2019. First exposed in May, a hidden component of the app delivers fake ads and attempts to generate clicks and even purchases. This app is now only available from some third-party Android stores and not from Google’s own store. Nevertheless, this video downloading app is still available, still active, and has racked up some 500 million downloads worldwide making it the fraudster’s best friend.


Running Vidmate a close second was the file-sharing app 4Shared.  Despite the apparent credibility of being available via the Google Play store, receiving high ratings and positive reviews from IT websites and even the Microsoft store, this app generated 114 millionsuspicious transactions in 17 countries.  As well as sharing files as requested by its users, 4Shared was also found to be sharing its users’ personal details in the background. After reporting the activity, Google removed the App from its Play store, but a new version reappeared the very next day and 4Shared remains a live threat.


Compared to the top two, only a relatively small number of devices were infected by Snaptube – just 4.4 million. Nevertheless, in just six months it was responsible for more than 70 million fraudulent transactions from those devices. The transactions were taking place behind the screen of this video downloading app popular in Egypt, Brazil, Sri Lanka, South Africa and Malaysia.  Left undetected, ad-fraudsters would have reaped $91 million from this activity first exposed in October last year. Now only available in third party app stores, Snaptube is still active and every day is making new attempts to defraud advertisers and misuse user data.

Weather Forecast

In 2019, some 27 million transactions were blocked on ‘Weather Forecast: World Weather Accurate Radar’. This forecasting app is still available on Google’s Play Store and is even pre-installed on some Alcatel Android phones. It commits advertising click fraud in the background while delivering its weather forecasts and maps in the foreground. This activity was first reported in January last year but the App is still being downloaded from Google Play and has now been installed on some ten million handsets.


Being on the Google Play platform gives these rogue Apps a cloak of credibility. Customizable keyboard app Ai.Type hid behind the cloak to initiate some 14 million fraudulent transactions that unless blocked would have resulted in a $18 million haul for the fraudsters.  For apps with hidden ad malware getting on, and remaining on, the Google Play Store is a major ambition.  Ai.Type was responsible for one of the biggest spikes of fraudulent activity in 2019 and was removed by Google from its Play Store in June. Nevertheless, it is still available from some third-party stores.

There’s a lot more…

The open nature of the Android ecosystem has been a strength to help the OS become a dominant force in the handset market.  But its open nature is also responsible for its security weakness.  The Apps above are behind some of the biggest attacks of 2019, but the number of malicious apps found to be hiding fraudulent activity from view is getting longer every day.  We publish the Secure-D Index that tracks all the apps we find to be behaving badly. If any of them are living on your phone – delete them now.


Geoffrey Cleaves is Head of Secure-D at Upstream. Secure-D provides real time fraud detection to mobile operators and digital marketers. Having used computers to analyse data since the age of 13, Geoffrey has held tech management roles in Chile, Argentina, Spain and the United States. Prior to joining Secure-D, Geoff was Managing Director at Opticks, a fraud detection venture he helped launch in 2017. Geoff was also Compliance Director at Billy Mobile analysing some 1Bn impressions daily.

Go Back



Do not miss our new insights

Subscribe for our latest insights and news. Stay in the know.